The Sony Pictures hackers used a vulnerability not previously known by the software’s programmers to gain access to the film studio’s networks, Re/code reported, citing multiple anonymous sources with knowledge of the government investigation.
If true, the revelation could strengthen the government’s belief that North Korea sponsored the cyberattack.
{mosads}Software vulnerabilities not known by programmers are called “zero-day” vulnerabilities because programmers have zero days to fix the software after it is compromised.
The hackers used their access to roam the company’s network for several months before launching the massive attack in late November that crippled Sony’s computer system, exposed swaths of internal documents and emails and almost caused the cancellation of a big-budget film.
The FBI has blamed North Korea for the attack, arguing the reclusive East Asian country was retaliating against Sony for its comedy, “The Interview,” which depicts a plot to assassinate North Korean leader Kim Jong Un.
It was reported Monday that hackers had been peppering Sony with spear phishing attacks — fake emails intended to lure recipients into clicking on something that downloads malware onto their computer — as far back as September.
Spear phishing attacks are often employed to exploit zero-day vulnerabilities.
Details are scarce on exactly what vulnerability the hackers exploited. But the knowledge that the digital assailants entered the network using this method could shed some light on the incident.
When cyber criminals discover these zero-day vulnerabilities, they are frequently put up for sale on the black market, where prices can run into the millions of dollars. That means the perpetrators likely had major financial backing, possibly from a foreign country.
Additionally, the discovery partially exonerates Sony’s cybersecurity practices. The company has been roundly criticized since the attack for its poor cyber defenses. But if hackers did indeed use a zero-day vulnerability to get in, Sony couldn’t have been prepared for such an intrusion.
One anonymous source familiar with the investigation into the Sony hit told Re/code that the film studio’s systems were “well-constructed and multi-faceted,” but not overly advanced.